Established Member.. sbotharaj
Established Member..
609 views

CHECKPOINT PROVIDER-1 SERVER INTEGRATION PROCEDURE

Disclaimer:

This post in no way overrides the original HP document SmartConnector for Check Point OPSEC NG

Treat it as a ready reckoner OR when you are stuck even after following the steps in the guide (as so many faced due to the heavy technical content of the document )


Method Used: OPSEC SSLCA (Easy & secure integration option for Checkpoint)


IMPORTANT CHECKS BEFORE PROCEEDING WITH INTEGRATION:

1. Supported Checkpoint NG Versions (of Provider-1 Server only; We are NOT concerned about Enforcement modules e.g: Firewalls as we can ONLY get the logs from the management server in the Checkpoint architecture). rkent says HP has a good heart that they don't mind supporting obsolete versions. For more information check out I want to integrate checkpoint smart connector for version R67.10. Is it possible ?


2. Steps for SmartCenter environment differ; So, do NOT follow the given procedure if you have SmartCenter environment and go to


3. Assumption: MDS Container of the Customer (CMA) in Provider-1 server itself is acting as Log Server for your enforcement modules.  If you have a dedicated Log Server which is NOT residing along with Provider-1 server in a machine, then do NOT follow the given procedure. (In this case, the Log Server device is the one to which the SmartConnector should talk to. So, the procedure should be altered accordingly)

4. In a cluster environment, you can perform this task only on PRIMARY Provider-1 Server.  Do NOT try it on SECONDARY Server for it behaves as Read Only.

STEPS FOR INTEGRATING SMARTCONNETOR WITH CHECKPOINT PROVIDER-1 SERVER USING SSLCA AUTHENTICATION METHOD:

<CHECKPOINT ADMIN’S TASKS START HERE>

1. Ensure communication between SmartConnector (a.k.a. LEA Client) & the MDS Container of the Customer (IP address of the Customer Management Add-on) a.k.a. LEA Server on port 18184.  You may have at least one firewall between these two nodes.  Add a rule for this communication on the firewalls that come in between. (Src: SmartConnector IP, Dest:SmartCenter IP, Service:TCP/18184)


2. Check if the MDS instance on Provider-1 server is listening on port 18184.

$netstat -a | grep 18184

3. It should listen on port 18184 by default & the default authentication method supported is SSLCA. So NO need to edit any config file (especially don't play with fwopsec.conf file) & absolutely NO need to give mdsstop / mdsstart in this scenario.

4. Go to SmartDashboard. If you have already created a HOST object for SmartConnector while executing Step 1, then skip Step 5 & go to Step 6.

5. Create a HOST object for SmartConnector with its IP address.

6. From the Manage menu, select OPSEC Applications. In the OPSEC Applications window, click New and select OPSEC Application

7. In the OPSEC Application Properties window, enter a Name for the object.  Name it as Arc_Sight, the convention which I usually follow.

8. Select the HOST object which we created for SmartConnector in the HOST field.

9. Select LEA from the Client Entities section.

10. Enable SIC (Note down the SIC activation key) & click initialize

11. Now go to

the MDS instance of the customer in the Provider-1 Server CLI:

$cpca_client lscert -kind SIC

From the output, note down the server SIC Name (i.e. Copy the line that has CN=Arc_Sight) & the SIC Entity Name (i.e. Copy the line that has CN=cp_mgmt). These two are needed during SmartConnector installation.

Note: You may have multiple entries with same CN name.  If that's the case all but one would already have been expired.  Just focus on the "Valid" CN entry.


Sample SIC keys:

Subject = CN=Arc_Sight,O=project.com.2nguo2

Status = Pending   Kind = SIC   Serial = 11931

Not_Before: N/A   Not_After: Mon Sep 17 14:48:40 2018

Note: Arc_Sight SIC key status must be Pending as you have not yet initiated trust from the SmartConnector

Subject = CN=cp_mgmt,O=cma1-project.hcl.com.2nguo2

Status = Valid   Kind = SIC   Serial = 56797   DP = 0

Not_Before: Tue Aug 30 14:45:14 2011   Not_After: Mon Aug 29 14:45:14 2016

Note: CMAs SIC key status must be Valid.

From the above sample,

SIC Name:CN=Arc_Sight,O=project.com.2nguo2

SIC Entity Name:CN=cp_mgmt,O=cma1-project.com.2nguo2

Pass the CMA IP address, SIC Activation Key, server SIC Name & SIC Entity Name to the ArcSight Admin.


<CHECKPOINT ADMIN’S TASKS END HERE>

<ARCSIGHT ADMIN’S TASKS START HERE>

12. Install SmartConnector Core software: that is, follow steps till "Add a connector" step. Quit the installation at that step & follow below procedure.

13. Pull Cert:

-> Goto C:\$ARCSIGHT_HOME\current\bin\agent\checkpoint\OPSECAD\win32

-> command: opsec_pull_cert -h <CMA IP address> -n Arc_Sight -p <SIC Activation Key>

-> You would have got the opsec.p12 file in the same path which is the SIC Certificate. (At this point, you can also ask Checkpoint Admin to check the SIC status which would now show as "Trust Established" in Checkpoint Dashboard)

-> Copy the output file to the C:\$ARCSIGHT_HOME\current\user\agent\checkpoint directory

-> When configuring the connector, the filename is all that is required because the connector, by default, is looking in the directory specified above for the filename entered in the connector's parameter entry table, hence the full path is not required.

14. From $ARCSIGHT_HOME/current/bin, enter arcsight connectorsetup to return to the SmartConnector Configuration Wizard.  When queried whether to enter Wizard mode, click Yes.  Select "Checkpoint OPSEC NG" as the connector & "sslca" as authentication method.

15. Connection Parameters:

Enter the IP address of the CMA, File name (i.e. opsec.p12), SIC Name & SIC Entity Name that we noted earlier. If you pass this stage without any error message, Congratulations!!


<ARCSIGHT ADMIN’S TASKS END HERE>

Labels (1)
3 Replies
rkent1 Acclaimed Contributor.
Acclaimed Contributor.

Re: CHECKPOINT PROVIDER-1 SERVER INTEGRATION PROCEDURE

Great stuff Suresh. I've done OPSEC LEA configuration with ArcSight and also two other SIEMs and it usually is a pain in the butt, especially the first time with each system!

The more that these lessons learned are shared, the better, so thanks for the writeup

0 Likes
Established Member.. sbotharaj
Established Member..

Re: CHECKPOINT PROVIDER-1 SERVER INTEGRATION PROCEDURE

You have just reminded me off those scary nightmares I got during my arcsight childhood days due to Checkpoint & Cisco IPS!

Thank you for the encouragement! Will post such write ups I compiled!

0 Likes
junier-j-martin Absent Member.
Absent Member.

Re: CHECKPOINT PROVIDER-1 SERVER INTEGRATION PROCEDURE

Hi guys,

I got a question, what if I can't perform step 13 as mention Pull cert failed.Is there an alternative that I can manually get from the Checkpoint FW and copy to the smart connector

Thanks

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.